Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 31 Mar 2016 09:19:40 +0100
From: Dominic Cleal <>
Subject: CVE-2016-2100: Foreman private bookmarks can be viewed and edited

CVE-2016-2100: Foreman allows read and write access to search bookmarks
set as 'private' to other users.

Bookmarks can be stored for quick access to frequent searches in the
Foreman web UI, which can be used to filter lists of hosts and other
objects.  These are either marked private or public, however the UI and
API for users to manage their bookmarks listed all bookmarks, including
private bookmarks of other users.  This allowed them to be viewed,
edited, or deleted.

Affects: Foreman 0.3 or higher
Fix released in Foreman 1.10.3 and Foreman 1.11.0-RC2


More information:

Dominic Cleal

Download attachment "signature.asc" of type "application/pgp-signature" (182 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.